How to set up secure file permissions and database permission in ubuntu

How to set up secure file permissions and database permission in ubuntu

Many junior developers are ready to set the permission to 777 for their project directory e.g. Laravel. So if you are setting your folder permissions to 777 you have opened your server to anyone that can find that directory. We can fix that easily. follow the next few steps.

There are basically two ways to setup your ownership and permissions for your directory on your project. Either you give yourself ownership or you make the web server the owner of all files like apache.

Web server as owner (the way most people do it for Laravel directory way) So we are assuming www-data for apache (it could be something else for different web servers) is your web server user.

sudo chown -R www-data:www-data /path/to/your/laravel/root/directory

or if you are in particular directory then follow the above command.

sudo chown -R www-data:www-data

if you do that, the web server owns all the files for you, and is also the group, and you will have some problems uploading files or working with files via FTP, because your FTP client will be logged in as you, not your web server (www-data), so add your user to the web server user group: assuming that ubuntu is your current user for ftp.

sudo usermod -a -G www-data ubuntu

Then you set all your directories to 755 or 775 and your files to 644 or 664. In next step we will SET file permissions.

for directory

sudo find /path/to/your/laravel/root/directory -type d -exec chmod 775 {} \;

for files

sudo find /path/to/your/laravel/root/directory -type f -exec chmod 664 {} \;

Now, you're secure and your website works, AND you can work with the files fairly easily.

Stop using /phpmyadmin publicly. we have to stop using it, only localhost can access it where you are with your PC.

You can restrict who can access the given location (URL path) using your web-server configuration. For example, if you use Apache on Ubuntu, then edit /etc/phpmyadmin/apache.conf to include Order, Deny and Allow directives (only the relevant part included):

sudo nano /etc/phpmyadmin/apache.conf

<Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks
DirectoryIndex index.php

Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>

Now we have situation where cann't accessing phpmyadmin from remote URL (http://YOURIPADDRESS/phpmyadmin) but still we want to access phpmyadmin for some reason like database update and view only.

Below is a gist for how to enable phpmyadmin only from localhost

Allow phpmyadmin only from localhost

This is can be accomplish by creating a tunnel between server using our ssh keys (.pem or .ppk).

Using .ppk Add tunnel setting Go to Connection->SSH->Tunnels in putty (make sure you have a connection string for your server configured with Auth using ppk file)

Add Tunnel Settings

Add Login Data Go to Connection->Data

add your username for server, in my case my ssh username for my ubuntu server is ubuntu.

Add Login Data

Now go back to session and save the settings.

Now open http://127.0.0.1:8888/phpmyadmin/ You can access the remote db from your local server using tunnel.

Using .pem suggested by @thedijje

Navigate to your pem file and type following commands.

ssh -N -L 8888:127.0.0.1:80 -i keyfile.pem username@youripaddress

example

ssh -N -L 8888:127.0.0.1:80 -i .\server.pem [email protected]

Now open http://127.0.0.1:8888/phpmyadmin/ You can access the remote db from your local server using tunnel.

Note: make sure your pem file permission is set to 400. :)